FAILURE during secondary validation again!

I had this error last renewal as well, not sure what's involved, but the DNS provider is timing out or not returning a valid response to cert-bot? Is godaddy's DNS rate limiting cert-bot?

Is anyone else having this issue?

My domain is: donate.harrychapinfoodbank.org


All OK! No issues were found with donate.harrychapinfoodbank.org.

DNS problem: query timed out looking up A for donate.harrychapinfoodbank.org”,”status”:400}

dig A donate.harrychapinfoodbank.org

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> A donate.harrychapinfoodbank.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30525
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;donate.harrychapinfoodbank.org. IN A

;; ANSWER SECTION:
donate.harrychapinfoodbank.org. 1799 IN A 165.227.97.51

;; Query time: 80 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sun Oct 04 03:51:21 EDT 2020
;; MSG SIZE rcvd: 75

PHP Fatal error: Uncaught AcmePhp\Core\Exception\Protocol\ChallengeFailedException: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: Fetching https://donate.harrychapinfoodbank.org/.well-known/acme-challenge/Up4TTYgKdq029IEShx6tW0-NuNSaoW9BQ9tljHvo_wU: No valid IP addresses found for donate.harrychapinfoodbank.org","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/7584342687/olIz9g","token":"Up4TTYgKdq029IEShx6tW0-NuNSaoW9BQ9tljHvo_wU","validationRecord":[{"url":"http://donate.harrychapinfoodbank.org/.well-known/acme-challenge/Up4TTYgKdq029IEShx6tW0-NuNSaoW9BQ9tljHvo_wU","hostname":"donate.harrychapinfoodbank.org","port":"80","addressesResolved":["165.227.97.51"],"addressUsed":"165.227.97.51"},{"url":"https://donate.harrychapinfoodbank.org/.well-known/acme-challenge/Up4TTYgKdq029IEShx6tW0-NuNSaoW9BQ9tljHvo_wU","hostname":"donate.harrychapinfoodbank.org","port":"443","addressesResol in phar:///usr/local/bin/ee/vendor/acmephp/core/AcmeClient.php on line 195

This was the last thread, which I couldn't re-open: During secondary validation: DNS problem: query timed out looking up A for www.harrychapinfoodbank.org","status":400}

Is the solution to leave godaddy DNS to improve the DNS lookup efficiency?

1 Like

There's a more recent thread about these here: During secondary validation: No valid IP addresses found

The error you posted occurred at exactly 1AM UTC. Does the problem persistent for you if you pick a more random time?

2 Likes

I get the same error if I manually run the command at random times, even now.
For good measure, I am going to change the cron time to something more random.
This error happens regularly, trying to renew now for 2+ days.

1 Like

Okay, thanks. An engineer got tagged in the other thread, so maybe check for updates there in 2-3 days from now.

1 Like

Ran it manually again now, and it was successful.
I have not made any changes, so the DNS timeout upon lookup of the secondary is preventing the SSL from being renewed. Maybe cert-bot can be adjusted in a manner in which a secondary lookup provides a soft warning instead of a failure?

1 Like

These types of errors (urn:ietf:params:acme:error:dns) are returned by the Let's Encrypt CA per decisions made on high, so certbot is absolutely powerless to do anything.

1 Like

Poor cert-bot. :frowning: But in all seriousness, the IP was discovered correctly by the primary lookup, the secondary look-up timing out or barfing, shouldn't be a catastrophic failure, no?

1 Like

I'm going to save you a whole lot of headache... :slightly_smiling_face:

Honestly, I'm not really sure of the rationale.

Thank you - much obliged... random time for the win...

1 Like

We aim to please. :slightly_smiling_face: